[Owasp-leaders] HTML5 local storage..

Eoin eoin.keary at owasp.org
Thu Dec 5 10:08:47 UTC 2013


Would a weak browser (IE6) infected with Malware be an issue here?
Certificate stores / Keystores have passwords etc but local storage does
not.



On 5 December 2013 10:06, Eoin <eoin.keary at owasp.org> wrote:

> Hi Chris,
> What your saying is using local storage as a "certificate store" sorta
> affair? Like a keystore for auth/authz when using an app?
>
>
>
> On 5 December 2013 09:56, Christian Papathanasiou <
> christian.papathanasiou at owasp.org> wrote:
>
>> Hi everyone,
>>
>> Assuming a domain does all the right stuff regarding XSS protection
>> (white listing, output encoding, CSP etc etc) could HTML 5 local storage
>> perhaps be a very interesting candidate for storing session cookies and
>> performing authentication/authorization?
>>
>> Reading between the lines the following key benefits stood out for me:
>>
>> Local storage token/cookie not transmitted over  the wire hence
>> minimising opportunity of cookie theft from sniffing
>>
>> Same origin policy means that local storage cookie will be
>> protected/relatively kimmune from CSRF attacks and hence no additional
>> effort required to CSRF tokenize forms etc.
>>
>> Of course, if your site has XSS then local storage cookies can be
>> siphoned off or even injected but assuming for the time being that the site
>> is immune to XSS and hence the lack of http only doesn't really matter and
>> everything going over SSL by default (hence secure flag doesn't really
>> matter) would the above benefits hold true?
>>
>> Of course the user can mangle the local storage token/cookie but that
>> would  in effect not really be different to doing the same with burp proxy
>> etc as long as token/cookie is sufficiently random complex etc and unable
>> to infer other peoples session tokens for horizontal or vertical priv esc.
>>
>> Am I missing something fundamental  from a security perspective here? :-)
>>
>> Finally are there any local storage authentication/authorization
>> frameworks out there?
>>
>> Many thanks & kind regards,
>> Christian Papathanasiou.
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> Eoin Keary
> OWASP Member
> https://twitter.com/EoinKeary
>
>


-- 
Eoin Keary
OWASP Member
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131205/cc8fb1f8/attachment.html>


More information about the OWASP-Leaders mailing list